System for providing services and virtual programming interface

ABSTRACT

The invention relates to a system for providing customer requested services relating to—for instance—security, monitoring and/or data acquisition in relation to a data processing device and/or a data network (Target  1 -Target k) of a customer, wherein  
     one or more of a plurality of tests are selected to be executed in relation to said data processing device and/or a data network (Target  1 -Target k), said selection ( 201; 202; 203; 210 ) of one or more tests are executed from a server (TSMADARS-server) which is connectable to said data processing devices and/or data network (Target  1 -Target k) via a communication network ( 140 ), and wherein  
     data representing results of said selection of tests may be accessed by the customer via a communication network and/or transmitted to said customer.  
     Hereby the customer or user will have the advantage that it will not be necessary to install/download special testing software on the data processing equipment in question. Thus, problems in relation to the execution of such testing software as well as problems concerning the acquisition of the test results and the analysis of such results may be avoided. Further, as it often will be advantageously to utilize two or more different types or makes of testing software applications/systems, the need to invest in a multitude of testing software applications will be avoided by the invention. Similarly, expenses and labour involved in updating such testing software and/or purchasing new software as the already purchased versions become outdated or obsolete will be avoided.

FIELD OF THE INVENTION

[0001] The invention relates to a system for providing customerrequested services according to claim 1, a system for preparing anautomatic execution of a test program according to claim 16, a method ofmonitoring the traffic of data packets in a data network according toclaim 19 and a virtual application programming editor according to claim28.

BACKGROUND OF THE INVENTION

[0002] In order to be able to test, control and/or monitor theintegrity, security and/or quality of a data system, e.g. a dataprocessing system, a data processing device and/or a data network, anumber of tests, e.g. test software application, have been developed andutilized.

[0003] The proprietor or provider of a data system will have to purchasea number of different tests, e.g. software applications, in order to—forinstance—be able to achieve a certain degree of security includingdetection and documentation, and accordingly take action on hackerattacks, cyber vandalism, unauthorized accessing of confidential data onthe system, destruction or distortion of data, congestion of dataprocessing, crashing of the data system etc. Different test are normallydedicated to different scopes of the security problem and will havedifferent advantages and flaws in relation to a particular data systemand in relation to a particular security aspect.

[0004] Further, the development of data systems, e.g. both hardware andsoftware, demands a corresponding development to the test softwareapplication. Similarly, weaknesses and security flaws in data systemsare discovered ongoing, demanding corresponding updating of currenttests.

[0005] In consequence, a proprietor or a provider of a data system willhave to invest in a number of different test programs, each facilitatingsaid different security checks, in order to obtain a certain degree ofsecurity in relation to the data system. Further, the proprietor orprovider will have to purchase new versions of said tests, updatesand/or new tests in order to be able to retain the same degree ofsecurity. Finally the proprietor or provider will have to allocatelabour resources to the task of implementing the tests, updating testsand/or installing new versions of tests.

[0006] Because of the expenses and efforts involved both in purchasingtests/updates and in running said tests, the efforts involved in thesecurity may lead to a result, which is far from optimal. Therefore aneed exists to provide security testing, monitoring and other securityrelated services to data systems, whereby the proprietor or provider ofsuch data systems may obtain such tests etc. in order to be able tocheck the security level of his/her system, in order to be able tocorrect detected flaws/weaknesses, and in order to be able to retain thesecurity level of the system/systems and preferably also improve thelevel of security without having to invest an increased amount of money,labour and effort.

[0007] These and other objects are achieved by the invention.

SUMMARY OF THE INVENTION

[0008] The invention relates to a system for providing customerrequested services relating to—for instance—security, monitoring and/ordata acquisition in relation to a data processing device and/or a datanetwork (Target 1-Target k) of a customer, wherein

[0009] one or more of a plurality of tests are selected to be executedin relation to said data processing device and/or a data network (Target1-Target k),

[0010] said selection (201; 202; 203; 210) of one or more tests areexecuted from a test, monitoring, alerting, documentation and reportingservices

[0011] server (TSMADARS-server) which is connectable to said dataprocessing devices and/or data network (Target 1-Target k) via acommunication network (140), and wherein

[0012] data representing results of said selection of tests may beaccessed by the customer via a communication network and/or transmittedto said customer.

[0013] Hereby the customer or user will have the advantage that it willnot be necessary to install/download special testing software on thedata processing equipment in question. Thus, problems in relation to theexecution of such testing software as well as problems concerning theacquisition of the test results and the analysis of such results may beavoided. Further, as it often will be advantageously to utilize two ormore different types or makes of testing software applications/systems,the need to invest in a multitude of testing software applications willbe avoided by the invention. Similarly, expenses and labour involved inupdating such testing software and/or purchasing new software as thealready purchased versions become outdated or obsolete will be avoided.

[0014] Thus, the system according to the invention will provide thecustomer/customers with a cost efficient system for performing anefficient and contemporary checking of security, quality, vulnerability,information relating to the security etc., e.g. newly discoveredweaknesses etc. and similar or related aspects in relation to the dataprocessing equipment of the customer.

[0015] Preferably, as stated in claim 2, said one or more selected testsmay be selected on the basis of preferences of the customer and/or onthe basis of an analysis of said data processing device and/or datanetwork of the customer.

[0016] Hereby it is achieved that the selected tests, which constitutesa test suite, corresponds to identified, expected and/or suspectedfields of problems, said fields identified by means of the experience ofthe customer and/or the experience and in-depth knowledge relatingto—for instance—security and testing items of the provider of the systemaccording to the invention.

[0017] In a further embodiment according to claim 3, said one or moreselected tests may be selected on the basis of results of one or moremanually, e.g. operator initiated executions of tests on said dataprocessing device and/or data network.

[0018] Hereby it is achieved that the selection of tests, i.e. the testsuite, will be selected on the basis of results reached by performing aset of tests, whereby the results may be observed and analyzed, givingvaluable information about which test/tests to choose in relation to aparticular data processing system, equipment and/or network. Further,the observed results of the manually initiated tests may serve asreference values, which may be utilized in connection with a processingand/or analysis of results of consecutively performed tests by thesystem according to the invention.

[0019] Advantageous, as stated in claim 4, said one or more tests may beconfigured to be executed each on predefined points of time and/or inpredefined intervals of time.

[0020] Hereby it is achieved that the execution of the selected testsconstituting the test suite may be configured to fulfill a wide varietyof requirements and/or to operate under consideration of a wide varietyof constraints. For example, certain tests may advantageously bescheduled to be performed on points of time when the data processingequipment is heavily loaded, e.g. to perform connection tests,denial-of-service tests, stress load tests etc., while other tests mayadvantageously be scheduled to be executed on points of time when demandon the data processing equipment is low, e.g. tests, which may cause thedata processing, communication etc. to be interrupted and may causefailure to the data processing equipment and/or software, which testspreferably may be located on points of time when a breakdown or aslowdown of services may be tolerable and/or when skilled personnel willbe readily available to correct the failure.

[0021] In a further embodiment as stated in claim 5 said one or moretests may be configured to be executed each on a regular basis and thefrequency of said regular executions may be specified preferably inaccordance with customer preferences and/or on the basis ofanalysis/analyses and/or a reference testing on said data processingdevice and/or data network

[0022] Hereby it is achieved that the execution of the selected testsconstituting the test suite may each be configured to be repeated withan interval of time corresponding to an estimation and/or evaluation ofthe developments, which may take place in relation to the subject of thetest/tests in question. For example, if it is estimated that adenial-of-service is a very critical and/or probable failure for a dataprocessing system, network equipment etc., then a relatively highfrequency for performing such a test may be configured, while a test fora relatively uncritical and/or relatively seldom occurring failure orcondition may be configured to be executed with a relatively lowfrequency, e.g. once a week, once a fortnight etc.

[0023] Advantageously, as stated in claim 6, means may be provided forperforming a comparison between data representing one or more results ofa test and one or more threshold values and means may be provided forthe establishing of an alarm, advice and/or information message.

[0024] Hereby it is achieved that in cases where an abnormal conditionis observed and where such an abnormal condition constitutes a certainbreach of security and/or reliability, the customer and/or aperson/persons specified by the customer may be alerted quickly if notinstantaneously, e.g. by e-mail, SMS, FTP, telephone, pager etc.

[0025] As stated in claim 7, said one or more threshold values may bespecified by the customer, whereby the establishing and/or emitting ofpossible alarms may be designed to fit the needs and/or preferences ofthe customer, e.g. the customer may specify a threshold which lies closeto actual values for parameters which are very important and/or vital tothe customer and/or the system/users of the system in question.

[0026] Preferably, as stated in claim 8, said one or more thresholdvalues may be specified on the basis of results of manually initiatedexecutions of one or more tests performed on said data processing deviceand/or network.

[0027] Hereby it is achieved that the threshold values and thus thealarm/advice initiating conditions will be specified on realistic termsand whereby it is achieved that the emitting of alarms/advices will beof considerable advantage to the user/users.

[0028] As stated in claim 9, said manually initiated executions of oneor more tests, e.g. reference tests, performed on said data processingdevice and/or network may be performed with regular intervals of time.

[0029] Hereby it is achieved that the reference values will be adaptedto the conditions changing with time, e.g. as the target data systemevolves and as the load on said target system changes. Obviously, someor all of the threshold values need to be amended in consideration ofthese changes. If not, the alarms/advices may loose their importance,either because alarms/advices will be established with a largerfrequency, whereby a tendency to ignore these will result, or becausealarms/advices very rarely will be established because the thresholdvalues now are so far away from the actual values that alarm conditionsin reality never or very seldom will occur. By this embodiment of theinvention these drawbacks will be avoided as the threshold valuesregularly will be checked and amended, if necessary.

[0030] Advantageously, as stated in claim 10, said communicationnetwork, by means of which said test suite, monitoring, alerting,documentation and reporting system server (TSMADARS-server) isconnectable to said data processing device and/or data network (Target1-Target k) may be a secure network facilitating use of saidauthentication and/or encryption.

[0031] According to a further embodiment as stated in claim 11 saidcommunication network (140), by means of which said data representingresults may be accessed, be downloaded and/or transmitted by/to thecustomer may be a secure network facilitating use of authenticationand/or encryption.

[0032] Advantageously as stated in claim 12 said plurality of testapplications may comprise tests relating to security testing, qualitytesting, telecommunication security testing, security informationcollecting service, security auditing, communication line testing and/ortest laboratory services.

[0033] When as stated in claim 13 said one or more selected tests areconfigured in a test suite file dedicated to each of a one or morecustomers, said test suite file comprising for each test informationrelating to a target data system and relating to the execution of saidtest, an advantageous manner of configuring the selected tests areachieved, facilitating the execution of the test suites.

[0034] When as stated in claim 14 said test suite file may comprise oneor more links each to a recorded preparation of a software application,said preparation or preparations comprising input actions and/oroperations performed on a graphical user interface, it is achieved thattests etc that comprise a user interface demanding a number of manualoperations to be performed e.g. by computer mouse, cursor, keyboard etc,before the test can be executed, may advantageously be prepared for anautomatic execution and be executed similar to other test softwareapplication in the test suite file.

[0035] When as stated in claim 15 said one or more recorded preparationsof a software application is/are dedicated to a particular target systema further preferred embodiment is obtained.

[0036] According to a further aspect the invention relates to a systemas characterized in claim 16 for preparing an automatic execution of atest software application, said test software application comprisinginput means for operating said test software application and/or forspecifying and/or selecting parameters relevant for the execution ofsaid test software application and wherein said input means may beoperated by means of computer input means such as a keyboard and/or acomputer mouse, wherein said system comprises

[0037] means for storing

[0038] data indicative of operations performed on said test softwareapplication by means of said computer input means, and

[0039] parameter data specified and/or selected by means of saidcomputer input means, and

[0040] means for indicating a sequential relation between said data.

[0041] Hereby it is achieved that manually performed operations such asselection of a graphical button and a subsequent activation by amouse-click or double-click, an activation of a roll-down-menu andsubsequent selection of an item, an activation of a data input field andspecification in this field of an input by means of a keyboard etc. maybe “recorded” and later simulated for an automatic execution of the sameoperations, whereby an execution of for example a number ofmouse/cursor/keyboard operations in the graphical user interface of asoftware application may be performed in an automatic manner upon aninitial start-up command.

[0042] Thus it is possible to prepare tests and other security relatedsoftware applications for an automatic execution involving a test suitefile wherein the selected tests are listed in a relatively simplemanner, and wherein also software applications requiring a more complexpreparation in order to have it running may be inserted. The systemaccording to this aspect of the invention therefore constitutes animportant feature in relation to the system for providing customerrelated services.

[0043] Advantageously, as stated in claim 17, said means for indicatinga sequential relation between said data may comprise a sequentiallisting of data stored by said storing means.

[0044] Further as stated in claim 18 said data indicative of operationsperformed on said test software application by means of said computerinput means may comprise data indicative of a reference location of agraphical user interface of said test software application and possiblydata indicative of a dimensional relationship between said graphicaluser interface and said computer input means.

[0045] The invention relates to a method of monitoring the traffic ofdata packets in a data network (800) according to claim 19 comprising anumber of network units (814-817), at least one of said network units(814-817) comprising access control lists (821, 824, 825, 826) definingdata traffic rules associated to the network units (814-817),

[0046] the data traffic of the said network comprising data packets(801), said data packets (801) comprising at least one destination (802)and at least one source address (803),

[0047] establishing at least one reference list (832) reflecting anumber of data traffic rules associated to the said network unit(814-817) establishing at number of “monitoring points” (827-830) in thesaid network (800),

[0048] measuring the data traffic in the said monitoring points(827-830)

[0049] comparing the said measured data traffic with the said datatraffic rules, establishing a warning if the comparing reveals thatmeasured data traffic comprises data packets conflicting with the saidreference list (832).

[0050] The at least one reference list (832) reflecting a number of datatraffic rules associated to the said network unit (814-817) may beestablished manually by e.g. typing, or the list may be established as acommon log-file automatically reading all the rules of units of thenetwork into one file.

[0051] The monitoring points may e.g. be established by a physicalconnection to a segment of the network to be monitored.

[0052] A warning may e.g. be an alarm or simple a text-indication of thestatus, which may easily be conceived by a skilled by a system operator.

[0053] When, as stated in claim 20, at least one reference list (832)comprises data traffic rules copied from at least one of the accesscontrol lists (821, 824, 825, 826) associated to the said network units(814-817), a further advantageous embodiment of the invention has beenobtained.

[0054] An advantage of merging the access control lists into a rule listRL is that all established rules or filter functions are compared to theactual data traffic of the network, thereby reducing the risk ofoverlooking non-intended data traffic.

[0055] When, as stated in claim the said destination address (802)comprises an IP-address or generally, addresses related to other typesof protocols and where the said source address comprises an IP-addressor an address related to other types of protocols, a furtheradvantageous embodiment of the invention has been obtained.

[0056] Data packet traffic of traditional data networks may thus bemonitored and controlled by evaluation of said IP addresses, destinationand/or source addresses, of the data packets.

[0057] When, as stated in claim 22, the said traffic rules comprisesdifferent combinations of forbidden source and destination addresses, afurther advantageous embodiment of the invention has been obtained.

[0058] Preferably, the data traffic rules may also comprise differentcombinations of forbidden source and destination addresses combined withdata content descriptions of the forbidden data packets.

[0059] When, as stated in claim 23, at least one of the said networkunits (814-817) comprising access control lists (821, 824, 825, 826)defining data traffic rules associated to the network units(814-817)—for instance—comprises a firewall and/or a network routerand/or a network bridge, a further advantageous embodiment of theinvention has been obtained.

[0060] A typical network unit of the above kind is a firewall, enablingdifferent kinds of protection against unwanted data traffic. Thus, afirewall often represents the connection of a web-server to externalusers.

[0061] When, as stated in claim 24, the said monitoring points areestablished in preferably all identified segment of the network (800), afurther advantageous embodiment of the invention has been obtained.

[0062] When, as stated in claim 25, the said reference list (832) isestablished for the purpose of simulating the data traffic in thenetwork if at least one of the access control lists (821, 824, 825, 826)of the network units (814-817) are changed, a further advantageousembodiment of the invention has been obtained.

[0063] The invention relates to a method of monitoring the traffic ofdata packets in a data network (800) according to claim 26 comprising anumber of network units (814-817), at least one of said network units(814-817) comprising access control lists (821, 824, 825, 826) definingdata traffic rules associated to the network units (814-817),

[0064] the data traffic of the said network comprising data packets(801), said data packets (801) comprising at least one destination (802)and at least one source address (803),

[0065] establishing at least logging file in a database (819) reflectinglog-messages established in at least one network unit (814-817)

[0066] comparing the said log messages to pre-established log-patterns,

[0067] establishing a warning if pre-established patterns or variationsof the pre-established patterns are identified.

[0068] When, as stated in claim 27, the said log-messages areestablished by different networks units (814-817) of the network, afurther advantageous embodiment of the invention has been obtained.

[0069] Moreover, the invention relates to a Virtual API editor (606)according to claim 28 comprising

[0070] means for selecting an application,

[0071] said application being operated by means of a graphical userinterface (605) on data processing means (602) and at least oneassociated input device (603, 604)

[0072] means for displaying (601) the graphical user interface (605) ofa selected application in a display area (601)

[0073] means for establishing at least one virtual input device script(303), said virtual input device script (303) defining the sequentialoperation of at least one input device (603, 604)

[0074] According to the invention a user may establish a virtual inputdevice script reflecting a human realtime operation of a selectedapplication. Such established virtual input device script may then beapplied for a batch-running of the selected application, i.e. a chosensoftware application. The software application may then, so to speak, beoperated on a batch basis by virtual input devices.

[0075] According to the invention, a batch running of a softwareapplication may be established on almost every thinkable softwareapplication which may be operated on a computer by means of e.g. a mouseand a keyboard.

[0076] Hence, software applications may run according to somewhatprimitive virtual input device script in a batch mode even if thesoftware applications contains suitable API. (API: ApplicationProgramming Interface).

[0077] Further advantageous options within the scope of the invention isthat the virtual input device script may function as a user input devicelog, describing the operation of the computer on a macro-level.

[0078] Hence, the log-file may be used for tracking faults in therecorded manual operation of the selected software application, or itmay even track if users perform undesired operations of certain softwareapplications even if the software applications contains nolog-facilities whatsoever.

[0079] When, as stated in claim 29, means for executing the said virtualinput device script (303) in such a way the said virtual input devicescript (303) results in an execution of the said selected applicationvia the said graphical user interface (605) associated to the saidselected application, a further advantageous embodiment of the inventionhas been obtained.

[0080] Moreover, the invention relates to a method of establishing avirtual API editor (702) according to claim 30 comprising

[0081] reverse engineering the program code of a selected softwareapplication,

[0082] identifying a number of relevant input fields in the code of thesoftware application,

[0083] providing a graphical user interface (701) having input fieldscorresponding to the relevant input fields,

[0084] inserting data by means of at least one computer input device(603, 604) into the reverse engineered program code in the identifiedrelevant fields via the said graphical user interface (701),

[0085] compiling the established program code comprising the inserteddata into one instances of an executable application of the selectedapplication.

THE FIGURES

[0086] The invention will be described in further detail with referenceto the drawings, of which

[0087]FIG. 1 shows a general overview of a system for providing customerrequested services in accordance with a preferred embodiment of theinvention,

[0088]FIG. 2 illustrates a number of customer test suite configurationfiles and their content,

[0089]FIG. 3-FIG. 7 illustrates different aspects of a Virtual APIaccording to one preferred embodiment of the invention.

[0090]FIG. 8 illustrates the operation of a User Behavior Agent on adata network according to one embodiment of the invention.

DETAILED DESCRIPTION

[0091] In FIG. 1 a system for providing user requested services isillustrated in a schematically manner. The system, which is in the formof an application service provider (ASP) system, comprises a test suite,monitoring, alerting, documentation and reporting system (TSMADARS)generally designated 101. This system, e.g. ASP-system, which operatescontinuously, i.e. 24 hours a day seven days a week, comprises a serveror a number of servers generally named TSMADARS-server means andgenerally designated 102. Further, the TSMADARS-server means comprises anumber of different test software applications, monitoring softwareapplications, supervisory software applications etc. which softwareapplications in the following may be referred to as simply test softwareapplications or tests, although the software applications concerned mayhave a scope differing from test software applications or have a widerscope than test software applications as such taken in a literal sense.

[0092] The system for providing user requested services according to anembodiment of the invention will be in the form of a supervisory controland data acquisition system (SCADA).

[0093] The involved tests are generally designated 103 and are forreasons of simplicity, which shall be explained later, grouped in anumber of groups 103 a-103 h in FIG. 1.

[0094] The TSMADARS-server means is able to facilitate a number ofdifferent services, e.g. categories of tests in order to fulfillrequirements of a user or customer requesting a particular service orservices 110-119, e.g. categories of tests. Such tests may asillustrated be security tests (SEC) 110, quality tests (QA) 111,telecommunication-security tests (TELE) 112, tests for security riskinformation (intelligent information collecting service) (SECINFO) 113,security audits (AUDIT) 118, communication line tests (COMM) 119,although other categories of test may be utilized, e.g. test laboratory(LAB) etc.

[0095] Some of the test software applications 103 may be utilized inconnection with two or more services, e.g. a particular test may begrouped in both group 103 a and 103 g, while another may be grouped ingroups 103 b, 103 c and 103 h.

[0096] The test software applications may operate on the basis of twodifferent principles. Some tests may be performed as purely externaltest methods, e.g. tests, wherein an influence, an attack, a scanning, arequest, a demand, an external logging etc. is directed toward thetarget network or system, while others may be arranged to operate atleast partly inside the target network or system, e.g. where an internallogging is performed, where an allowable data packet, request, commandetc. is communicated inside the target network or system in order tocheck the internal conditions of the target network or system, e.g.whether internal ports are unintentionally open for certain datapackets, whether an internal blocking of certain ports are possible,whether certain types of data packets may enter certain parts of thetarget system unintentionally etc.

[0097] The catalogue of tests is designed to comprise both such types oftests and tests operating on both principles simultaneously. The systemfor providing user requested services according to the invention is thusalso designed to facilitate such types of testing in order to provideoptimal testing, monitoring, auditing etc. facilities to customers.

[0098] An example of a listing of some of the test in the test catalogueand their relation to the services provided is shown in the followingtable: SERVICE DESCRIPTION TESTS SEC Security tests Inventory scanMibBrowsing Portscan Vulnurability test D.o.S. testsBruteForce/intrusion UBA-user behavious agent (LOG files) UBA-userbehavious agent (Proto- col) QA Quality tests Ping TraceRouting GETrequests Connection test STress load test Broken links Bottlenecks(network traffic analyzer) TELE Tele security tests War dialingBruteForce/intrusion UBA-user behavious agent (LOG files) AUDIT Securityaudits Auditprogram COMM Communication line Accessability tests LAB Testlaboratory Test environment Education SECINFO Intelligent informationScanning collecting service Reports Alerts etc. . . . . . .

[0099] Brief descriptions of these tests supplemented with a fewexamples will be given in the following:

[0100] SEC:

[0101] Inventory Scan:

[0102] Mapping of active network units, which responds to Ping (ICMP)requests or which can be identified by means of reverse DNS lookup.

[0103] (Example: Machine 212.130.xy.z is HELENA MS NT4 server, SP3).

[0104] MibBrowsing (Management Information Base Browsing)

[0105] Requests on the configurations of network units via active SNMP(Simple Network Management Protocol) agents.

[0106] (Example: SysUpTime=0 days, 3 min, 45 sec)

[0107] Portscan

[0108] Search of active TCP (Transmission Control Protocol) and UDP(user datagram protocol) ports of network units.

[0109] (Example: TCP port 80 is http, i.e. browser access to theInternet)

[0110] Vulnarability Test

[0111] Systematic search of possible weaknesses in the operative systemsof network units by means of complex algorithms and informationaldatabases.

[0112] (Example: Machine 212.130.xy.z has 1 high risk, 3 medium risksand 1 low risk vulnerabilities)

[0113] D.o.S. (Denial of Service Tests

[0114] Systematic search of possible “not in service” weaknesses in theoperative systems of network units by means of complex algorithms andinformational databases.

[0115] (Example: Machine 212.130.xy.z has 0 high risk, 1 medium risk and1 low risk vulnerabilities)

[0116] BruteForce/Intrusion

[0117] Systematic (initially with dictionary/dictionaries, then by meansof combinations) attempts of logins through active ports of networkunits.

[0118] (Example: Port 23, WWWNET, is open on machine 212.130.xy.z: Tryuser OL and all combinations of passwords from aaa to zzz).

[0119] UBA—User Behaviour Agent (LOG Files)

[0120] Systematic, correlational search for abnormal behaviour in logfiles of network units.

[0121] (Examples will be given later in the following)

[0122] UBA—User Behaviour Agent (Protocol)

[0123] Real-time search of traffic on network for abnormal userpattern/patterns.

[0124] (Examples will be given later in the following)

[0125] QA:

[0126] Ping

[0127] Collecting of response times for network units by means of Ping(ICMP)

[0128] (Example: Response from 212.130.xy.z: Bytes=32, average time >10ms)

[0129] TraceRouting

[0130] Collecting of response times for network units by means of Ping(ICMP) and analysis of route for data packets through networks.

[0131] (Example: Traces route to machine 212.130.xy.z through xx-router,yy-firewall, zz-gateway etc)

[0132] GET Requests

[0133] Collecting of response times for services of network units byactive ports.

[0134] (Example: GET http://www.abcdefg.dk/index.html=644 ms).

[0135] Connection Test

[0136] Collecting and analysis of services of network units by activeports.

[0137] (Example: WWWNET 212.130.xy.z gives “Welcome to AAA server v6.5.4ESTMP).

[0138] Stress Load Test

[0139] Exerting load on services of network units with an increasingnumber of virtual users simultaneously until the system is overloadedand crashes.

[0140] (Example: Web system MS IIS 5.0 crashed at 5444 virtual users atthe same time; X hereof performed this and YY hereof performed thatetc.).

[0141] Broken Links

[0142] Search of web system of network unit for references not active.

[0143] (Example: http://www.abcdefg.dk/index.html has 1 brokenreference, i.e. http://www.abcdefg.dk/pricelist.html).

[0144] Bottlenecks (Network Traffic Analyzer)

[0145] Measurements of performance through network for “bottlenecks” andcausal analysis hereof.

[0146] (Example: Congestion at router 212.130.xy.z: TCP peak=5000 bit/sat 4:15 PM).

[0147] Tele:

[0148] War Dialing

[0149] Systematic search of active numbers in operative systems of PBX,for which numbers a carrier detection (answering tone) is present.

[0150] Example: 12345678 Carrier at 300 Baud).

[0151] D.o.S. (Denial of Service) Test

[0152] Systematic search of possible “not in service” weaknesses in theoperative systems of PBX by means of complex algorithms andinformational databases.

[0153] (Example: similar to example for D.o.S test for SEC).

[0154] BruteForce/Intrusion

[0155] Systematic, combinational login attempts through active numbersof PBX (Telephone switching central):

[0156] (Example: similar to example for BruteForce/intrusion for SEC).

[0157] UBA-User Behaviour Agent (LOG Files)

[0158] Systematic search of log files of PBX for abnormal behaviour.

[0159] (Examples will be given later in the following)

[0160] Audit:

[0161] Auditpropram

[0162] Scheduling of execution of security and quality audits.

[0163] Comm:

[0164] Accessibility

[0165] Ongoing measurements and analysis of on-time and bandwidth oncommunication lines

[0166] Secinfo:

[0167] Scanning

[0168] Surveying of newly discovered vulnerabilities/weaknesses onparticular network units and PBX'es.

[0169] (Example: 190101: ABCD MIX Dos vulnerability on versions with IOY12.2.3. See www.abcdef.com)

[0170] Reports

[0171] Collecting of technical security and quality informationconcerning “best buy” (comparisons) concerning network units and PBX'eswith ongoing surveying with regard to relevant updatings.

[0172] (Example: An updated buyers guide).

[0173] Alerts

[0174] Surveying of newly discovered hacker tools, malicious code etc

[0175] (Example: An updated database).

[0176] Lab:

[0177] Test Environment

[0178] Access to test laboratory with possibility of testing software ona large selection of hardware platforms.

[0179] (Example: User XX can log into the Bridicum test environment andmay access among others a NT and a Unix environment, in which the usersown software may be tested).

[0180] Education

[0181] Virtual security school (E-learning) with theory and examination.

[0182] (Example: 3 day Hacker Guarding course as distance educationincl. hands-on exercises).

[0183] The TSMADARS server means 102 is as shown connected to preferablysecure storage means 121 for storing data relating to the customers,e.g. services requested, test suites, test results, persons and/oraddresses, to whom or which advices should be directed, rules (e.g.thresholds) relating to alarms/advices etc. Further, central controlmeans (CC) 122 is provided to control e.g. the execution of the testsuites, the storing of test suites and test results etc.

[0184] Means for analyzing test results and identifying, initiatingand/or suggesting amendments to the test suites in order to achieveimprovements in the test suites may optionally be provided in the formof a test suite optimizer (TSO) 123, which shall be described later.

[0185] The t TSMADARS server means 102 is connected to a communicationnetwork 140, preferably a secure network, e.g. a network on which anencrypted and authenticated communication is facilitated, for example bymeans of SSL (Secure Socket Layer) or VPN (Virtual Private Network),which network may be in the form of an optionally secure global networksuch as the Internet, in the form of radio linked transmission networks,PSTN, GSM, UTMS etc., in the form wired transmission means and/or in theform of leased lines etc. Of course, the connection 140 to/from theTSMADARS server means 102 may comprise combinations of suchcommunication means and the TSMADARS server means 102 may be connectedby means of two or more communication networks in parallel.

[0186] Users or customers (User 1-User m) are generally designated 150,and the data processing networks, equipment, systems etc, which may bemonitored, tested, audited etc. by the system according to theinvention, are generally designated 160.

[0187] A potential user 150, e.g. User m, who has a need to perform somesort of testing of a data processing system 160 (e.g. Target k), cansubmit a request to the provider of the services, for example via thetransmission network 140, to the TSMADARS server means 102. In therequest, the potential user can specify the kind of service requested,e.g. a security service 110, and other specifications relating to saidservices, e.g. frequency, thresholds, e.g. values relating to theemitting of alarms and/or time of initiations.

[0188] The provider of the TSMADARS service will then be able to suggesta suite of tests selected among the available tests 130, which testswill give the requested service/services. An operator controlled initialtest run may then be performed on the data processing system 160 inquestion, e.g. Target k. The operator may execute the relevant tests onthe point in time suggested and/or requested by the customer, and mayrepeat some or all of these, if relevant, with the suggested and/orrequested frequencies. The results will be observed and analyzed, andsubsequently possible suggestions for alterations concerning test suiteconfiguration, e.g. selection and/or sequence of tests—and evensuggestions to use specific testing tools accordingly—, point of timefor running said tests, frequency etc. are prepared. These results arepresented to the customer, e.g. the customer may access these, usinglogin name and password, download the results to the user's own systemvia a secure transmission network, e.g. using FTP and preferablyauthentication and encryption (e.g. SSL, VPN), or the results maypreferably via a secure transmission network, e.g. using authenticationand encryption (e.g. SSL, VPN), be transmitted to the customer, e.g. ase-mail etc. and conclusively a test suite configuration may be agreedupon.

[0189] The test suite approved by the customer will then be configuredin the form of a customer test suite file dedicated to said customer andsaid data processing system. If the customer requests test suites to beoperated on more than one independent data processing system, a customertest suite file dedicated to each of said data processing systems may ofcourse be made.

[0190] Such a customer test suite file dedicated to a particularcustomer and a particular data processing system is illustrated in FIG.2. Herein, a test suite file 210 relating to Customer n is illustratedas one file among a group of test suite files 201, 202, 203 . . . 210relating to Customer 1-Customer n.

[0191] The test suite files are all laid out in the same manner asillustrated for file 210, which essentially contains a listing ofoperations 211-219 to be performed by the system according to theinvention. The file 210 may further comprise a number of fields orcolumns 221-225, containing different forms of commands and/orinformation.

[0192] Apart from a heading identifying the customer and/or the dataprocessing system (target) to be monitored, tested, audited etc. thefirst part of the file 210 contains a list of operations concerningparticular test, monitoring, auditing etc. software applications. Eachof these contains a command field 221, e.g. “Perform”, a field 222identifying the software application, e.g. “BBscan.exe”, a field 223identifying the time, the software application shall be run for thefirst time, e.g. “11 Jan. 2001 at 09.00”, a field 224 indicating thefrequency, with which the software application shall be repeated, e.g.“Every week” and a field 225 identifying the target, e.g. an address orthe like identifying the data processing system and/or network, forexample an IP-address “abc.def.g.h” or an address related to other typesof protocols.

[0193] After the listing concerning the software applications of theselected test suite the file 210 contains a number of commands 219relating to the processing of the results of the executions of thesoftware applications, e.g. collecting the results, storing the results,updating the test result files of the customer in question etc.

[0194] The test suite files 201-210 stored on the storing means 121 willbe run under control of the TSMADARS, e.g. controlled by the centralcontrol means (CC) 122, as the control system will cause a sequentialscanning of the suite files, identify software applications which at thegiven point of time must be performed, cause such software applicationsto be executed and cause subsequent operations such as storing,analyzing of test results and/or updating of the resultdatabase/databases to be performed.

[0195] The test results may preferably via secure transmission means asdescribed above be transmitted to the customer and/oraccessed/downloaded, e.g. in the form of e-mails, FTP, etc. and/or thetest results may be readily available for viewing and/or downloading viaa preferably secure communication network 140, e.g. the Internet on awebsite.

[0196] Further, special messages in the form of alarm messages,information messages advice messages, alert messages etc. may beforwarded/transmitted to the customer (or persons/addresses/telephonenumbers specified by the customer), when certain reference values and/orlimits, e.g. maximum and/or minimum values, which values in thefollowing also shall be referred to as thresholds or threshold values,have been reached and/or exceeded. These threshold values may be userspecified and/or may origin from the initial test runs performed whenthe test suite has been configured. The alarm messages etc. may beforwarded to user specified addresses, e.g. e-mail addresses, mobiletelephone numbers etc, and the messages may be transmitted to more thanone person/address, possibly in a hierarchical system.

[0197] The above described manually initiated test runs may be repeatedwith regular intervals in agreement with the customer in order to detectand/or evaluate the need to modify the test suite. Accordingly, the testsuite may be modified on the basis of such reference tests and/or on thebasis of an analysis of the target system. Similarly, such referencetest results may lead to modifications of reference values serving tocause forwarding of alarm/information messages.

[0198] Secure storing of reference test results as well as referencevalues, e.g. threshold values, serving to define a basis for forwardingof alarm/information/advice/alert messages may be controlled by thecentral control means 122. Further, the central control means 122 mayserve to control the preferably secure transmission of such messages onthe basis of customer related and/or specified rules, which may also bestored, preferably in a secure manner, on the storage means 121. Asspecified above, the secure transmission may be in the form of anencrypted and authenticated communication, for example by means of SSL(Secure Socket Layer) or VPN (Virtual Private Network) or similar.

[0199] A customer or user 150 may in a secure manner as described aboveaccess the test results at the service provider (e.g. the applicationservice provider ASP), e.g. at a website hosted by the applicationservice provider, as the customer has been provided with a username anda password. The access may preferably be established using cryptographyand authentication (e.g. using digital signature), e.g. using a SecureSocket Layer (SSL) protocol or Virtual Private Network (VPN) via theInternet or the like. Similarly, information transmitted from theservice provider, test data etc. as well as result data transmitted fromthe target to the service provider may be transmitted using techniquesto assure the security, e.g. using cryptography.

[0200] In addition to being able to access test results via acommunication network, e.g. the Internet or similar means, thecustomers/users may be able to inspect the test suite/suites inaccordance with the agreement with the service provider and possibly beable to change certain parameters in the test suite/suites, for examplethe frequency of tests, threshold values, host addresses, telephonenumbers, in case these have been changed, etc.

[0201] The test software applications 103 used for providing therequested services may be standard test software applications and/orspecially developed software applications, which may be developed foruse in relation to a particular data processing system and/or networkand/or in order to fulfill certain particular requests submitted by acustomer or a potential customer.

[0202] A number of available standard test software applications may beconfigured relatively straightforward in the listing constituting a testsuite 210 of a customer, as in relation to these software applicationsonly few pieces of information, for example an IP address or addresses,other types of addresses, telephone number/numbers, initial startingpoints of time and possibly a frequency or frequencies of repetitionneed to be specified in order to have the software application running.As this information can be specified in the command fields contained inthe listing, such software applications will immediately be executedwhen a starting point of time is reached. However before starting atesting or a monitoring software application, it is checked, for exampleby the central control means (CC) 122 that the application in questionis not running, i.e. that is has finished its previous execution. Thecentral control means 122 will prohibit the execution of the applicationin such cases until the application has finished or until theapplication is scheduled to be initiated again according to the testsuite file 210.

[0203] Other software applications may require a more complex and/ordetailed input information, especially in cases where such softwareapplications comprise a graphical user interface with graphical controlmeans such as start buttons, input means for specifying certain valuessuch as for example IP addresses, for selecting certain parameters etc.by use of keyboard, cursor and mouse. In order to be able to executesuch software applications automatically, the operations performed onthe user interfaces of such software applications in order to achieve anexecution of such a software application, the operations, e.g. manuallyand sequentially performed operations, have to be transformed to ascript or the like, which directly may be executed by a computercontrolled system. Such a script may then be inserted in or preferablyreferred to in the customer test suite files 201-210 (FIG. 2). Forexample, instead of indicating a tag in the field 222 identifying thetest software application, a reference to such a script may be insertedinstead.

[0204] An advantageous feature of the invention and a important part ofthe system according to the invention, by means of which it is possibleto create such customer dedicated scripts, will be described in furtherdetail in the following.

[0205]FIG. 3 illustrates the basic principle of one preferred embodimentof the invention.

[0206] When dealing with e.g. security monitoring or quality monitoringof data networks, both with respect to internal monitoring and externalmonitoring, a basic problem is that no monitoring applications areactually complete enough to perform the test alone, due to the fact thatintrusion and cyber vandalism may be performed in numerous ways. Newmethods see the light of the day every day. Consequently, suchmonitoring should be performed quite often and the monitoring should beupdated to match the behavior of unwanted intruders.

[0207] Therefore several types of evaluation software applicationsshould preferably by applied when investigating the security of anetwork. Moreover, the number of applied software applications may oftenvary with the different tasks and different versions of the appliedapplications over time.

[0208] Consequently, a monitoring of the data security may imply use ofmany different software applications in many different setups and thecombination of the software applications may vary as well.

[0209] A problem of many of the applicable monitoring softwareapplications is that they lack an API (API: Application ProgrammingInterface). Therefore, the security monitoring tasks has to be performedmanually in time-consuming operations requiring manually insertion offor example IP-addresses etc.

[0210] According to one aspect of the invention, the monitoring of thedata security should be performed regular and at a well-defined time ofthe day in order to satisfy the needs of a user requiring a datasecurity test.

[0211] In order to meet such need the invention involves theestablishing of a Virtual API, VAPI, allowing batch-mode running ofsecurity monitoring software applications in certain intervals.

[0212] With reference to FIG. 3 the establishing of a virtual API mayimply an initial step of pseudo-running an API-less security monitoringsoftware application. The software application is operated by inputdevices 301, such as a computer keyboard and a computer mouse.

[0213] The operation of the input devices when running a certainapplication is “recorded” thereby facilitating a subsequent running ofthe software application by means of the recorded behavior of the inputdevices. The “recording” of the operation of input devices associated toa certain software application may be performed by means of a virtualAPI editor (VAPI) 302, and the recorded operation is mapped into avirtual input device script (VIDS.) 303

[0214] The virtual input device script may be established in manydifferent ways within the scope of the invention, e.g. by a specificrecording of the operation or by means of manually software applicationprogramming of the VIDS 303. Preferably, the virtual API editor shouldfacilitate a combination of a recording and manually inserted inputdevices operations.

[0215] Subsequently, the virtual input device script, VIDS 303 may runthe associated software application (APP) 304 at a given time or ifcertain predefined criteria are fulfilled, and the software applicationmay generate an output (APPO) 305 accordingly.

[0216] Typically, a virtual input device script, VIDS 303, capable ofrunning one software application may be combined with virtual inputdevice script, VIDS 303 running other software applications. Moreover,they may be combined with API code established for running softwareapplications already having an API. Hence, software applications orbundles of software applications may be run in batch mode without theneed manually typing and maintenance.

[0217] Turning now to FIG. 4, the above operation is illustrated by aVAPI 302 capable of running a selected application (SA) 401, e.g. a wardialing software application, via the software application userinterface 402 by means of a VIDS script 303.

[0218] As illustrated in FIG. 5, a VAPI 302 may run a bundle of softwareapplications (SA1-SAn) 501-507 by means of different individual scriptsas a traditional API scripts running of one or several softwareapplications.

[0219] The result of the batch mode running of the software applicationmay be exported to one common database 511 containing the overalldesired test results.

[0220] Evidently, selected application enabling traditional API may berun both by means of the associated API or an established virtual inputdevice script (VIDS) 303 as well.

[0221] A possible establishing of a virtual input device script (VIDS)303 according to one embodiment of the invention will now be describedin detail with reference to FIG. 6.

[0222]FIG. 6 illustrates a standard personal computer, e.g. a PC, 602comprising a monitor 601. The computer is operated traditionally bymeans of input devices: a keyboard 603 and a mouse 604 via a userinterface 605.

[0223] According to the illustrated embodiment the desired virtual inputdevice script, (VIDS) 303, is established by means of a Virtual APIeditor (VAPIE) 606.

[0224] The illustrated VAPIE 606, which obviously may be established inseveral other ways within the scope of the invention, monitors thegraphical user interface of a selected application 401.

[0225] The illustrated VAPIE 606, here in tile mode, comprises a controlbar 607, adapted for recording the operation of the input devices 603and 604. The control bar facilitates both recording and playing of therecorded/manually inputted VIDS 303. Moreover, the control bar 607comprises an APPSEL button (not shown) enabling the selection of asoftware application, e.g. the illustrated software application 401.

[0226] The graphical user interface of the illustrated VAPIE 606 isoperated by means of traditional input devices, such as a mouse 604and/or keyboard 603, input pens, etc. A cursor 608 reflects theoperations of the input devices.

[0227] Moreover, the control bar 607 comprises a number of programmingbuttons 609 facilitating manually insertion of different commands, suchas click, double-click, text insertion, etc. The illustrated control bar607, which may be applied in several different ways within the scope ofthe invention will be described in detail below with reference to FIG.6b. One of several possible programming buttons may e.g. by a XY-button(not shown) adapted for the purpose of establishing the referenceposition of the graphical user interface 605 of a selected applicationwith respect to the established virtual input device script. Suchestablishment may be performed manually or automatically within thescope.

[0228] A simple mapping may e.g. be a mouse XY inputting of at least twoborder points defining the position and the size of the graphical userinterface 605 screen of the selected application, eventuallysupplemented by computer monitor data or monitor setting, e.g. screenresolution. When, these data has been established, a recording orestablishment of the moving of a cursor on the monitor may be related tothe actually intended operation of the selected application 401, if thesize or position of the graphical user interface 605 screen of theselected application has changed the next time the selected application401 is opened for execution.

[0229] Finally, the editor comprises a virtual input device listingarea, (VIDSL) 610, containing the recorded and manually inputted virtualinput device script, VIDS 303. The script may be edited on a traditionaltext-editor basis, and the virtual input device listing area, (VIDSL)610, may comprise an associated syntax checking algorithm.

[0230] The content of a virtual input device listing area, VIDSL 610 maytypically comprise a listing or a representation the established virtualinput device script VIDS 303 supplemented by suitable explanations,labeling facilities and syntax checks.

[0231] The illustrated control facilitates an advantageous establishmentof the desired virtual input device script VIDS 303. A segmentillustrative bar 611 is provided for illustrating what segments of theVIDS 303 are presently listed in the virtual input device listing area,VIDSL 610, and a pointer 612 illustrates the present position of atimeline (not shown). Hence, VIDS 303 segments present in the virtualinput device listing area, VIDSL 610, should be highlighted in theillustrative bar 611.

[0232] The basic understanding of a time segment according to oneembodiment of the invention is that each segment represent a sequenceterminated by a input device action, such as a mouse, right/leftclicking, double-clicking or for instance a keyboard “return” command.

[0233] An example of a virtual input device script VIDS 303 monitored inthe virtual input device listing area, VIDSL 610 may e.g. be a code:

[0234] (# is followed by non-executable descriptive text)

[0235] # XY defining of the position and size of the selectedapplication SA

[0236] # by mouse insertion of two opposite corner reference points

[0237] # The POS-tag establishes that the next two left-clicks defines

[0238] # the area of the selected application. <POS> X0Y0=12, 12<L-CLICK>     # End of segment 1 X2Y2=650, 650 <L-CLICK>     # End ofsegment 2 #Now, the input script may begin # # Seldect a pull-down menuby moving the position of a XY defining X,Y=12, 600 <L-CLICK>     # Endof segment 3 # The select pull down menu segment is terminated # Movecursor to input field xy=150, 500 <D-CLICK>     # End of segment 4 #Enter file name Heacy.txt <ENTER>     # End of segment 5 # Move cursorto input field xy=170, 5000 <D-CLICK>     # End of segment 6 # Enter IPaddress <IP> 212.127.8.114 <ENTER>     # End of segment 7

[0239] According to the above illustrated VIDS 303, the presentplay-status is that the <enter> command has just been executed, and thatthe next action is to move the cursor to positions 170, 500.

[0240] The control bar comprises a record button 613. This buttonfacilitates a recording over the segment of the input device operation.A further record button 614 facilitate a one segment at a timerecording. Rewind 615 and forward buttons 616 are applied for VIDS 303scrolling on a continuously basis or segment basis.

[0241] Moreover, the control bar comprises means for defining certainstandard operations, such as the above listed <POS> or <IP>. Thesestandard “tags” are associated to a certain predefined meaning, e.g.<IP> defining an IP-address. This defining of input values associated tothe established VIDS 303 facilitates an easy exchange of key values suchas IP-addresses, once a first VIDS 303 associated to a selected softwareapplication has been established. Thereby, a VIDS script associated to acertain application may be reuse of the VIDS 303, only requiring anexchange of key values when applying the same software application tothe test of another customer.

[0242] The running of the established VIDS 303 may be emulated byactivating the play/pause button 617 and the operation of the inputdevices may be emulated graphically simultaneously in order toillustrate the established VIDS 303 operation to the user. Moreover, theVIDS 303 illustrated in the virtual input device listing area, VIDSL 610should be scrolled simultaneously, thereby illustrating the currentposition in the virtual input device script VIDS 303.

[0243]FIG. 6b illustrates a variant mode of the above-described editorin which the VAPI editor 606 operates in a cascade mode, therebyfacilitating the operator of the editor to create a VIDS 303 byrecording/generating the input device operation over the complete areaof the monitor. According to the illustrated embodiment, the control bar607 acts as a movable task bar.

[0244]FIG. 7 illustrates the user interface 701 of a further embodimentof the invention.

[0245] The user interface 701 is associated to an instance of a softwareapplication. The instance of a selected software application may beestablished by reverse engineering of a certain software applicationlacking an API.

[0246] The reverse engineered code may be mapped together with a roadmapfile defining the necessary input fields e.g. according to a DOM(Document Object Model)-tree representation of the reverse engineeredsoftware application. The input fields should typically be all thefields needed to be set/filled-in in order to run the application.Therefore, such filed may include trivial default settings common forall the needing executions of the program and it may evidently includethe fields needed for the individual executions of the application, e.g.the insertion of for example an IP-address, test parameters, output-filedefinitions, etc.

[0247] When such field positions in the reverse engineered code has beenrevealed, an execution of the software application to a certain test maybe established by specifically inputting relevant IP-addresses, testconditions, test types, etc. in the source code, recompiling the code toan executable instance of the software application.

[0248] A user friendly programming tool is described below withreference to FIG. 7.

[0249]FIG. 7 illustrates a further embodiment of a virtual API editor(VAPIE) 702 according to the invention.

[0250] The VAPIE 702 basically functions as a graphical user interface701 to the above described reverse engineered code. The graphical userinterface 701 facilitates that the user may type in the parametersnecessary for the execution of the specific application addressing aspecific network.

[0251] According to the illustrated graphical user interface 701, anIP-address input field, 703, is provided for inputting for example oneor several relevant IP-addresses or addresses relating to other types ofprotocols. The IP-addresses or other types of addresses may e.g. becomma-separated.

[0252] A telephone number input field 704 is applied for inputting oftelephone numbers, if the test application e.g. is applicable fortelephone test, e.g. war dialing tests, etc.

[0253] A number of function check boxes 705 is provided for checking theapplicable function according to the desired execution of the program.The choosing of desired functions may vary from task to task and fromcustomer to customer.

[0254] When the operator of the VAPIE 702 has finished the insertion andchecking of the desired function he may activate a compile activationbutton 706, thereby invoking the compilation of the selected application401 with the specific inserted parameters. Hence, the compilation of theapplication results in an instance of the program, e.g. an exe. fileassociated to a relevant customer. An execution of the file may then runthe program with the parameters inserted and compiled via the VAPIE 702.

[0255] One advantage of such a type of virtual API editor (VAPIE) 702 isthat several executable instances of a selected application 401 may beestablished in a simple manner and executed with little effort, when theVAPIE 702 once has been established on the basis of the reverseengineering, thereby reducing the need of manually inputting of customerdata, etc each time a test of a certain software application has to beapplied. Evidently, such instances of an application may be regarded asa kind of disposable test program dedicated to a certain task and acertain customer. If certain parameters has to be exchanged, e.g. anIP-address, the executable program instance may be disposed and a newinstance has to be compiled with the changed data. Evidently, suchcompilation of a new instances or new instances may be eased if the useronly needs to change the relevant data by means of the VAPIE 702 insteadof retyping the complete data input.

[0256] The illustrated VAPIE graphical user interface 701 comprisesother possible buttons 707 or forms (not shown) provided for importingcustomer records, defining the desired applications, defining an outputformat, warning outputs, etc.

[0257] Evidently, the illustrated VAPIE editor 702 may be constructed inseveral different ways within the scope of the invention. Preferably,the VAPIE editor 702 should be somewhat customized to the specificapplication, thereby reducing the complexity of the job of the operatorusing the VAPIE 702. Such customization may e.g. be a one-to onerelationship between the relevant input fields of the application andthe graphical user interface 701. An example of such customization maye.g. imply that a VAPIE graphical user interface 701 associated to aselected application only involves IP-address input fields andcheck-boxes, if no telecommunication tests may actually be performed bythe program.

[0258]FIG. 8A illustrates a data network according to one embodiment ofthe invention and a special feature of the system described in FIG. 1,i.e. a test performed from the “inside” of the system. The specialfeature is referred to as a user behavior agent, UBA.

[0259] User behavior agents UBA's may be applied as external servicesrequiring access to the customer computer, e.g. via encrypted VPNtunnels, or the agents may be installed at the customers network.

[0260] The feature will be described with reference to the data networkillustrated in FIG. 8A. Evidently, the illustrated data network is onlyone of several different possible setups and types of networksapplicable within the scope of the invention.

[0261] The data network facilitates data traffic between the involvedunits in the form of data packets 801. The data packets comprise adestination address (DA) 802, a source address (SA) 803 and furtherpacket content (PACO) 804 as illustrated in FIG. 8B. The packet contentmay e.g. be specific data packets, requests-replies, etc. In typicalnetwork both source and destination addresses are IP addresses, butcould origin from other types of protocols.

[0262] The illustrated network comprises a number of internal users810-813, e.g. accessing the network by means of dedicated PC's. Theillustrated network is traditionally linked together by means of networkcables and network units 814 (NU1), 815 (NU2), 816 (NU3) and 817 (NU4)and servers (not shown). The network units comprises different e.g.routers, firewalls or bridges.

[0263] The basic elements of the illustrated network a database setupcomprising two databases 818 and 819. The latter databases 819 areintended for internal storing of log files.

[0264] Moreover, the network comprises a database 818 associated to anetwork unit (NU2) 815 in the form of a so-called firewall. The firewall815 is established for providing access to external users 819 to adatabase 818, i.e. web-based database which may be accessed via theInternet 820. Moreover, the firewall should secure that no one of theInternet based user, e.g. external users 819, may access the internalpart of the network. Typically, the database 818 should be accessible toboth external users 819 and internal users 810-813 as well.

[0265] The firewall is configurated by means of an access control list(ACL2) 821, defining the allowed traffic to and from the unit (NU2) 815.Such an access control list 821 may e.g. define that all external datatraffic are routed to the database 818. The rules of an access controllist may also comprise inbound and outbound filters, defining specifiedundesired or not-allowed types of traffic, e.g.

[0266] Undesired traffic may e.g. imply traffic via the router to aspecific destination address, for example an IP-address. Other types ofundesired traffic may e.g. be defined as a combination of a destinationaddress and certain types of requests.

[0267] The front end of the network is comprised by a router (NU4) 817,having an associated access control list (ACL4) 826, located between andconnected to the Internet 820 and the firewall (NU2) 815.

[0268] Moreover, the network comprises two users 822 and 823, e.g.coupled to directly to the network from a remote location. The users 822and 823 are coupled to the network via routers (NU1) 814 and (NU3) 816,each router comprising an associated access control list (ACL1) 824 and(ACL3) 825 defining allowed users.

[0269] The illustrated users 822 and 823 may principally access with thesame rights as the other internal user 810-813 or they may facilitatecertain operations defined by the filters or rules established in theaccess control list 824, 825, respectively.

[0270] Finally, the illustrated network comprises a serially operatingnetwork switch 831, diving the network into a number of network. Each ofthe internal users 810-813, the external user 822/router 814 (NU1), theexternal user 823/router 816 (NU3), the database 819, and the database818 forms a segment

[0271] Basically, the network comprises a number of network unitscontrolling the allowed network traffic in different parts of thenetwork. Nevertheless, practice has revealed that such network units814-817 (NU1-4) sometimes allows unintended traffic. This may be due todifferent factors such as mis-configuration, bad hardware structures,etc.

[0272] Therefore, the invention provides external test on a computernetwork testing whether intrusion or cyber vandalism is actuallypossible to non-authorized users. Typically, such as test should makethe specific weaknesses clear to the owner of the network and the testshould result in different proposals eliminating the discoveredweaknesses.

[0273] Moreover, the invention provides test facilities testing whethersomething has actually failed, i.e. if non-authorized data traffic hasactually passed the firewalls, etc. Therefore, such test facilitiesnecessitates a testing of the inside traffic of the network, andtherefore tests will have to performed by means of security routinesestablished in the internal part of the computer network. The tests maybe performed by so-called User Behavior Agents (UBA's). The UserBehavior Agents may function in several different ways.

[0274] According to a first embodiment of applicable UBA's within thescope of the invention, a Watch User Behavior Agent is established forwatching illegal data packets within the computer network, andpreferably, the Watch agent should give an advice if illegal packets aredetected.

[0275] The Watch agent implies a number of measure points, e.g. 827,828, 829 and 830, established within the internal part of the networkthought to be secure and free of undesired traffic of data packets 801.

[0276] Preferably, a measuring point should be established in each or atleast as many as possible segments of the network in order to trackunintended traffic on the network. An example of unintended data trafficmay e.g. appear, if a department of the company reconfigures the accesscontrol list 825 of the router 816 (NU3), e.g. by mistake, therebyopening the network the exterior networks.

[0277] Therefore, according to the invention, illegal data packets maybe revealed by the watch agent UBA (e.g. located on its own dataprocessing unit having several netcards, one per monitoring point), asdata packets coming into the network via the mis-configured router 816(NU3) are measured and compared to e.g. the rules or some of the rulesof the access control list 821 (ACL2) associated to the firewall 815.

[0278] An appropriate warning should be raised.

[0279] As illustrated in FIG. 8C, the tapped data packets 801 arecompared to a rule list 831 (RL) defining a common description ofundesired traffic, i.e. data packets. If the comparison reveals thatundesired traffic within the network are actually present, the factshould be brought to the attention of a super-user or the like. E.g. bymeans of a simple log-file which may be opened from time to time by asuper-user or some kind of warning e.g. in the form of a text message toa system operator or securely sent electronically to the TSMADARS-serveras part of the testsuite setup.

[0280] The rule list 831 (RL) may e.g. manually typed e.g. forsimulation purposes or the rule list RL may, as illustrated in FIG. 8Dby copied directly from the access rule lists 824 (ACL1), 826 (ACL2),825 (ACL3) or 821 (ACL4) of all or some of the network units 814 (NU1),815 (NU2), 816 (NU3) and 817 (NU4).

[0281] The advantage of merging the access rule lists 824 (ACL1), 826(ACL2), 825 (ACL3) or 821 (ACL4) into a rule list (RL) 832 is that allestablished rules or filter functions are compared to the actual datatraffic of the network.

[0282] The established monitoring and the comparisons may e.g. be usedas internal watch-software applications, or it may be applied as anagent stored internally in the network reporting to an externalcentralized watch company e.g. 823 being in charge of the monitoring ofthe security of the company network. The agent may also be locatedexternally at the external centralized watch company, e.g. in 823,provided that the external connection is secure and obviously, that thewatch company is reliable.

[0283] The above described monitoring of the internal traffic in thedata network should preferably be supported by tests on the firewallsetc. performed for the purpose of monitoring weak points of theinterfaces between the external and internal part of the network. So tospeak, a reliable security monitoring should preferably dynamically testthe network firewalls ability of keeping undesired data traffic out ofthe internal part of the network as described according to theabove-described system of FIG. 1 and the security monitoring shouldpreferably dynamically monitor the data traffic of the internal part ofthe network in order to discover if undesired traffic has actuallyentered the internal part of the network. When unwanted traffic isdiscovered by simple pattern match performed by the UBA's internalalgorithm and database system, alerts are securely sent electronically,e.g. e-mailed, to the local system administrator or to theTSMADARS-server.

[0284] Moreover, according to the first embodiment of the invention, theUBA may be applied for simulation purposes. If a modification of e.g.the access control list 826 (ACL2) of the firewall 815 (NU2) isconsidered, the modification may be simulated by modification of thereference list, thereby emulating the traffic occurring if theconsidered change is actually performed.

[0285] According to a second embodiment of applicable UBA's within thescope of the invention, a Log User Behavior Agent is established. TheLog User Behavior Agent is adapted for checking different log files ofthe computer network, e.g. firewall logs, servers events logs, databaselog files, etc. The UBA should check these log files and give a warningif user behavior agent detects if activities or users behave differentor deviates from normal expected user behavior.

[0286] The log-user behavior agent LUBA, should be able of detecting atrack in the above-mentioned log-files unusual behavior, and then mapthe activities of the user until the user log-out. This may e.g. be doneby tracking all the destination addresses for the unit associated to thelog-file until it leaves the network. The log-file may according to theillustrated embodiment be established in the database 819, e.g. by meansof the already established measuring points 827-830 or in many othersuitable ways.

[0287] The below example illustrates the meaning of collectinglog-messages from e.g. a Tabasco router. The name of the router isfictive and the example is only applied for the purpose of explainingimportant features of the invention.

[0288] The log-messages are typically product specific.

[0289] FW: Tabasco.

[0290] 1. DEST. IP address: ICMP overflow time T

[0291] 2. DEST. IP address: ICMP overflow time T+delta

[0292] 3 DEST. IP address: ICMP overflow time T+2xdelta

[0293] The message log-file indicates that a Ping of death has beeninitiated at the Tabasco router, as the log-messages reveals that the IPaddress has invoked an overflow in the router at three different timesT, T+delta, T+2xdelta.

[0294] The behavior reveals that a denial of service dos has occurred oroccurs.

[0295] According to a third embodiment of applicable UBA's within thescope of the invention, a Protocol User Behavior Agent, PUBA, isestablished.

[0296] The Protocol User Behavior Agent, PUBA involves an agent, whichmay be located at the customers network collecting network data trafficon a protocol level. The agent may e.g. reside in a dedicated unitcomprise several network units. The content of the data packets areanalyzed on a realtime basis, an deviating user behavior may e.g. beestablished by applying more or less complicated neural patterns.

[0297] Amongst several possibilities, the Protocol User Behavior Agent,PUBA should establish statistics showing for example which IP-addressesvisiting who, when and how often. Certain types of deviating behaviorshould be reported to the network responsible and to the TSMADARSoperators.

[0298] According to a fourth embodiment of applicable UBA's within thescope of the invention, a Macro-Log User Behavior Agent, MLUBA, isestablished.

[0299] Basically, the MLUBA's operates in the same way as the LUBA's,with the exception that these agents are adapted for detecting whetheruser behavior is deviating from the expected on a long-term basis. Thusa Macro-Log User Behavior Agent, MLUBA reports if incidents, e.g.detected for example by the Log User Behavior Agents, are repeated overa long period for example in certain patterns.

1. System for providing customer requested services relating to—forinstance—security, monitoring and/or data acquisition in relation to adata processing device and/or a data network (Target 1-Target k) of acustomer, wherein one or more of a plurality of tests are selected to beexecuted in relation to said data processing device and/or a datanetwork (Target 1-Target k), said selection (201; 202; 203, 210) of oneor more tests are executed from a server (TSMADARS server) which isconnectable to said data processing devices and/or data network (Target1-Target k) via a communication network (140), and wherein datarepresenting results of said selection of tests may be accessed by thecustomer via a communication network and/or transmitted to saidcustomer.
 2. System according to claim 1, characterized in, that saidone or more selected tests are selected on the basis of preferences ofthe customer and/or on the basis of an analysis of said data processingdevice and/or data network of the customer.
 3. System according to claim1 or 2, characterized in, that said one or more selected tests areselected on the basis of results of one or more manually initiatedexecutions of tests on said data processing device and/or data network.4. System according to one or more of claims 1-3, characterized in, thatsaid one or more tests may be configured to be executed each onpredefined points of time and/or in predefined intervals of time. 5.System according to one or more of claims 1-4, characterized in, thatsaid one or more tests may be configured to be executed each on aregular basis and that the frequency of said regular executions may bespecified preferably in accordance with customer preferences and/or onthe basis of analysis/analyses and/or a reference testing on said dataprocessing device and/or data network
 6. System according to one or moreof claims 1-5, characterized in, that means (121, 122) is provided forperforming a comparison between data representing one or more results ofa test and one or more threshold values and that means (122, 102, 140)are provided for the establishing of an alarm, advice and/or informationmessage.
 7. System according to claim 6, characterized in, that said oneor more threshold values may be specified by the customer.
 8. Systemaccording to claim 6 or 7, characterized in, that said one or morethreshold values may be specified on the basis of results of manuallyinitiated executions of one or more tests performed on said dataprocessing device and/or network.
 9. System according to claim 6, 7 or8, characterized in, that said manually initiated executions of one ormore tests, e.g. reference tests, performed on said data processingdevice and/or network may be performed with regular intervals of time.10. System according to one or more of claims 1-9, characterized in,that said communication network (140), by means of which said server(TSMADARS-server) is connectable to said data processing device and/ordata network (Target 1-Target k) is a secure network facilitating use ofauthentication and/or encryption.
 11. System according to one or more ofclaims 1-10, characterized in, that said communication network (140), bymeans of which said data representing results may be accessed,downloaded and/or transmitted by/to the customer is a secure networkfacilitating use of authentication and/or encryption.
 12. Systemaccording to one or more of claims 1-11, characterized in, that saidplurality of test applications comprises tests relating to securitytesting (103 a), quality testing (103 b), telecommunication securitytesting (103 c), security information collecting service (103 e),security auditing (103 g), communication line testing (103 h) and/ortest laboratory services.
 13. System according to one or more of claims1-12, characterized in, that said one or more selected tests areconfigured in a test suite file (210) dedicated to each of a one or morecustomers (User 1-User m), said test suite file comprising for each testinformation (225) relating to a target data system and relating to theexecution (223, 224) of said test.
 14. System according to claim 13,characterized in, that said test suite file may comprise one or morelinks each to a recorded preparation of a software application, saidpreparation or preparations comprising input actions and/or operationsperformed on a graphical user interface (605).
 15. System according toclaim 14, characterized in, that said one or more recorded preparationsof a software application is/are dedicated to a particular targetsystem.
 16. System for preparing an automatic execution of a testsoftware application, said test software application comprising inputmeans for operating said test software application and/or for specifyingand/or selecting parameters relevant for the execution of said testsoftware application and wherein said input means may be operated bymeans of computer input means such as a keyboard and/or a computermouse, wherein said system comprises means for storing data indicativeof operations performed on said test software application by means ofsaid computer input means, and parameter data specified and/or selectedby means of said computer input means, and means for indicating asequential relation between said data.
 17. System according to claim 16,characterized in, that said means for indicating a sequential relationbetween said data comprises a sequential listing of data stored by saidstoring means.
 18. System according to claim 16 or 17, characterized in,that said data indicative of operations performed on said test softwareapplication by means of said computer input means comprises dataindicative of a reference location of a graphical user interface of saidtest software application and possibly data indicative of a dimensionalrelationship between said graphical user interface and said computerinput means.
 19. Method of monitoring the traffic of data packets in adata network (800) comprising a number of network units (814-817), atleast one of said network units (814-817) comprising access controllists (821, 824, 825, 826) defining data traffic rules associated to thenetwork units (814-817), the data traffic of the said network comprisingdata packets (801), said data packets (801) comprising at least onedestination (802) and at least one source address (803), establishing atleast one reference list (832) reflecting a number of data traffic rulesassociated to the said network unit (814-817) establishing at number of“monitoring points” (827-830) in the said network (800), measuring thedata traffic in the said monitoring points (827-830) comparing the saidmeasured data traffic with the said data traffic rules, establishing awarning if the comparing reveals that measured data traffic comprisesdata packets conflicting with the said reference list (832).
 20. Methodof monitoring the traffic of data packets in a data network (800)according to claim 19, wherein said at least one reference list (832)comprises data traffic rules copied from at least one of the accesscontrol lists (821, 824, 825, 826) associated to the said network units(827-830).
 21. Method of monitoring the traffic of data packets in adata network (800) according to 19 or 21, wherein the said destinationaddress (802) comprises an IP-address or a address relating to an othertype of protocol and where the said source address (803) comprises anIP-address or a address relating to an other type of protocol. 22.Method of monitoring the traffic of data packets in a data network (800)according to any of the claims 19 to 21, wherein the said traffic rulescomprises different combinations of forbidden source and destinationaddresses.
 23. Method of monitoring the traffic of data packets in adata network (800) according to any of the claims 19 to 22, wherein atleast one of the said network units (814-817) comprising access controllists (821, 824, 825, 826) defining data traffic rules associated to thenetwork units (814-817) comprises a firewall and/or a network routerand/or a network bridge.
 24. Method of monitoring the traffic of datapackets in a data network (800) according to any of the claims 19 to 23,whereby the said monitoring points are established in preferably allidentified segment of the network (800).
 25. Method of monitoring thetraffic of data packets in a data network (800) according to any of theclaims 19 to 24, whereby the said reference list (832) is establishedfor the purpose of simulating the data traffic in the network if atleast one of the access control lists (821, 824, 825, 826) of thenetwork units (814-817) are changed.
 26. Method of monitoring thetraffic of data packets in a data network (800) comprising a number ofnetwork units (814-817), at least one of said network units (814-817)comprising access control lists (821, 824, 825, 826) defining datatraffic rules associated to the network units (814-817), the datatraffic of the said network comprising data packets (800), said datapackets (801) comprising at least one destination (802) and at least onesource address (803), establishing at least logging file in a database(819) reflecting log-messages established in at least one network unit(814-817) comparing the said log messages to pre-establishedlog-patterns, establishing a warning if pre-established patterns orvariations of the pre-established patterns are identified.
 27. Method ofmonitoring the traffic of data packets according to claim 26, wherebythe said log-messages are established by different networks units(814-817) of the network.
 28. Virtual API editor (606) comprising meansfor selecting an application, said application being operated by meansof a graphical user interface (605) on data processing means (602) andat least one associated input device (603, 604) means for displaying(601) the graphical user interface (605) of a selected application in adisplay area (601) means for establishing at least one virtual inputdevice script (303), said virtual input device script (303) defining thesequential operation of at least one input device (603, 604). 29.Virtual API editor (606) according to claim 28, means for executing thesaid virtual input device script (303) in such a way the said virtualinput device script (303) results in an execution of the said selectedapplication via the said graphical user interface (605) associated tothe said selected application.
 30. Method of establishing a virtual APIeditor (702) comprising reverse engineering the program code of aselected software application, identifying a number of relevant inputfields in the code of the software application, providing a graphicaluser interface (701) having input fields corresponding to the relevantinput fields, inserting data by means of at least one computer inputdevice (603, 604) into the reverse engineered program code in theidentified relevant fields via the said graphical user interface (701),compiling the established program code comprising the inserted data intoone instances of an executable application of the selected application.31. (New) System for providing customer requested services relating tosecurity, monitoring, and/or data acquisition in relation to a dataprocessing device and/or a data network of a customer, wherein: one ormore of a plurality of tests are selected to be executed in relation tosaid data processing device and/or data network; said selection of oneor more tests are-executed from a server which is connectable to saiddata processing devices and/or data network via a communication network;and wherein data representing results of said selection of tests areaccessible by the customer via a communication network and/ortransmitted to said customer.
 32. (New) System according to claim 31,wherein said one or more selected tests are selected on a basis ofpreferences of the customer and/or on a basis of an analysis of saiddata processing device and/or data network of the customer.
 33. (New)System according to claim 31, wherein said one or more selected testsare selected on a basis of results of one or more manually initiatedexecutions of tests on said data processing device and/or data network.34. (New) System according to claim 31, wherein said one or more testsis/are configured to be executed each on predefined points of timeand/or in predefined intervals of time.
 35. (New) System according toclaim 31, wherein said one or more tests is/are configured to beexecuted each on a regular basis and a frequency of said regularexecutions is specified preferably in accordance with customerpreferences and/or on a basis of analysis/analyses and/or a referencetesting on said data processing device and/or data network
 36. (New)System according to claim 31, further comprising means for performing acomparison between data representing one or more results of the test andone or more threshold values and means for establishing an alarm, adviceand/or information message.
 37. (New) System according to claim 36,wherein said one or more threshold values is/are specified by thecustomer.
 38. (New) System according to claim 36, wherein said one ormore threshold values is/are specified on a basis of results of manuallyinitiated executions of one or more tests performed on said dataprocessing device and/or network.
 39. (New) System according to claim38, wherein said manually initiated executions of one or more testsperformed on said data processing device and/or network is/are performedwith regular intervals of time.
 40. (New) System according to claim 31,wherein said communication network, by means of which said server isconnectable to said data processing device and/or data network, is asecure network facilitating use of authentication and/or encryption. 41.(New) System according to claim 31, wherein said communication network,by means of which said data representing results can be accessed,downloaded and/or transmitted by/to the customer is a secure networkfacilitating use of authentication and/or encryption.
 42. (New) Systemaccording to claim 31, wherein said plurality of test applicationscomprises tests relating to security testing, quality testing,telecommunication security testing, security information collectingservice, security auditing, communication line testing, and/or testlaboratory services.
 43. (New) System according to claim 31, whereinsaid one or more selected tests are configured in a test suite filededicated to each of said customers, said test suite file comprising foreach test information relating to a target data system and relating tothe execution of said test.
 44. (New) System according to claim 43,wherein said test suite file comprises one or more links each to arecorded preparation of a software application, said preparation orpreparations comprising input actions and/or operations performed on agraphical user interface.
 45. (New) System according to claim 44,wherein said one or more recorded preparations of a software applicationis/are dedicated to a particular target system.
 46. (New) Systemaccording to claim 31, further comprising a subsystem for preparing anautomatic execution of a test software application, said test softwareapplication comprising input means for operating said test softwareapplication and/or for specifying and/or selecting parameters relevantfor execution of said test software application, wherein said inputmeans are operated by means for computer input, said subsystemcomprising: means for storing data indicative of operations performed onsaid test software application by means of said computer input means andparameter data specified and/or selected by means of said computer inputmeans; and means for indicating a sequential relation between said data.47. (New) System according to claim 46, wherein said means forindicating a sequential relation between said data comprises asequential listing of data stored by said storing means.
 48. (New)System according to claim 46, wherein said data indicative of operationsperformed on said test software application by means of said computerinput means comprises data indicative of a reference location of agraphical user interface of said test software application and possiblydata indicative of a dimensional relationship between said graphicaluser interface and said computer input means.
 49. (New) Method ofmonitoring traffic of data packets in a data network comprising a numberof network units, at least one of said network units comprising accesscontrol lists defining data traffic rules associated to the networkunits, the data traffic of said network comprising data packets, saiddata packets comprising at least one destination and at least one sourceaddress, the method comprising: establishing at least one reference listreflecting a number of data traffic rules associated to the said networkunit; establishing a number of monitoring points in said network;measuring the data traffic in said monitoring points; comparing saidmeasured data traffic with said data traffic rules; and establishing awarning if the comparing reveals that measured data traffic comprisesdata packets conflicting with said reference list.
 50. (New) Method ofmonitoring the traffic of data packets in a data network according toclaim 49, wherein said at least one reference list comprises datatraffic rules copied from at least one of the access control listsassociated to said network units.
 51. (New) Method of monitoring thetraffic of data packets in a data network according to 49, wherein thesaid destination comprises an IP-address or an address relating toanother type of protocol and wherein the said source address comprisesan IP-address or an address relating to another type of protocol. 52.(New) Method of monitoring the traffic of data packets in a data networkaccording to claim 50, wherein said traffic rules comprise differentcombinations of forbidden source and destination addresses.
 53. (New)Method of monitoring the traffic of data packets in a data networkaccording claim 49, wherein at least one of said network unitscomprising access control lists defining data traffic rules associatedto the network units comprises a firewall and/or a network router and/ora network bridge.
 54. (New) Method of monitoring the traffic of datapackets in a data network according to claim 49, wherein said monitoringpoints are established in preferably all identified segments of thenetwork.
 55. (New) Method of monitoring the traffic of data packets in adata network according to claims 49, wherein said reference list isestablished for a purpose of simulating the data traffic in the networkif at least one of the access control lists of the network units arechanged.
 56. (New) Method of monitoring the traffic of data packets in adata network according to claim 49, further comprising: establishing alogging file in a database reflecting log-messages established in saidnetwork unit; comparing said log messages to pre-establishedlog-patterns; and establishing a warning if pre-established patterns orvariations of the pre-established patterns are identified.
 57. (New)Method of monitoring the traffic of data packets according to claim 56,wherein said log-messages are established by different networks units ofthe network.
 58. (New) Virtual API editor, comprising: means forselecting an application, said application being operated by means of agraphical user interface on data processing means and at least oneassociated input device; means for displaying the graphical userinterface of a selected application in a display area; and means forestablishing at least one virtual input device script, said virtualinput device script defining the sequential operation of the inputdevice.
 59. (New) Virtual API editor according to claim 58, wherein saidmeans for executing said virtual input device script operates in suchthat the said virtual input device script results in an execution ofsaid selected application via said graphical user interface associatedto said selected application.
 60. (New) Method of establishing a virtualAPI editor, comprising: reverse engineering a program code of a selectedsoftware application; identifying a number of relevant input fields inthe code of the software application; providing a graphical userinterface having input fields corresponding to the relevant inputfields; inserting data by means of at least one computer input deviceinto the reverse engineered program code in the identified relevantfields via the said graphical user interface; and compiling theestablished program code comprising the inserted data into one instanceof an executable application of the selected application.